Univention Bugzilla – Bug 52401
can not add new users with udm nor new users are synced from AD - uidNumber could not get locked
Last modified: 2021-09-06 12:44:28 CEST
univention-app info UCS: 4.4-6 errata803 Installed: adconnector=12.0 kopano-core=8.7.1.0-1 kopano-webapp=3.5.14.2539-2 samba-memberserver=4.7 z-push-kopano=2.4.5 root@kopano01:~# udm users/user create --set username=foobar8 --set password=univention12345... --set lastname=foo E: Object exists: (nolock) The attribute 'uidNumber' could not get locked. root@kopano01:~# univention-ldapsearch -LLL 'univentionLastUsedValue=*' univentionLastUsedValue dn: cn=gidNumber,cn=temporary,cn=univention,dc=customer,dc=local univentionLastUsedValue: 5179 dn: cn=uidNumber,cn=temporary,cn=univention,dc=customer,dc=local univentionLastUsedValue: 1000001 root@kopano01:~# udm users/user create --set username=foobar8 --set password=univention12345... --set lastname=foo --set uidNumber=1000000 Object created: uid=foobar8,dc=customer,dc=local Seems like the enumeration / selection of new UIDs is broken in some way. console logs (incoming change via AD connector): 19.11.2020 18:47:30.899 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=max mustermann,CN=Users,DC=customer,DC=local 19.11.2020 18:47:30.905 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=max.mustermann,cn=users,dc=customer,dc=local 19.11.2020 18:47:30.930 LDAP (ERROR ): Unknown Exception during sync_to_ucs 19.11.2020 18:47:30.931 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1329, in sync_to_ucs result = self.add_in_ucs(property_type, object, module, position) File "/usr/lib/python2.7/dist-packages/univention/connector/__init__.py", line 1149, in add_in_ucs return bool(ucs_object.create()) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1231, in _create self._ldap_pre_create() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/users/user.py", line 1584, in _ldap_pre_create self['uidNumber'] = univention.admin.allocators.request(self.lo, self.position, 'uidNumber') File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 194, in request return acquireRange(lo, position, type, _type2attr[type], [{'first': 1000, 'last': 55000}, {'first': 65536, 'last': 1000000}], scope=_type2scope[type]) File "/usr/lib/python2.7/dist-packages/univention/admin/allocators.py", line 158, in acquireRange raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (atype,)) noLock: The attribute 'uidNumber' could not get locked.
We are allocating only 1.000.000 uidNumbers. It seems this somehow was exceeded. I guess you don't have that much users/groups?! > dn: cn=uidNumber,cn=temporary,cn=univention,dc=customer,dc=local > univentionLastUsedValue: 1000001 What caused changing it to this value? Our code? Your code? (A hacker?). This may happen if you create a user with uidNumber=1000000 manually. Do you have such a value? Maybe in Samba / AD?
FYI: The high value may be caused by an AD-Connector sync loop, e.g. if the sync of a user object from AD to UDM/OpenLDAP fails at the second stage e.g. due to a UDM hook. Then the object constantly would get created and deleted again. That should show up in the connector.log though.
Anyway, I think this is site specific and needs to be handled via support of help.univention.de. It doesn't look like a product bug. Although the message could be more informative.
Indeed i did not create a user manually. And indeed it was due to a sync problem/loop that increased the number. We only have a bunch of users and just test UCS at the moment to see if it fits our needs. Can the value be reset manually?
(In reply to stefan.bauer from comment #4) > Can the value be reset manually? yes. You can get the highest number in use by: univention-ldapsearch -LLL '(&(objectClass=person)(uidNumber=*))' uidNumber | grep ^uidNumber: | sort | tail -1 Just set it to that value.
(In reply to Florian Best from comment #5) > (In reply to stefan.bauer from comment #4) > univention-ldapsearch -LLL '(&(objectClass=person)(uidNumber=*))' uidNumber | grep ^uidNumber: | sort | tail -1 This is wrong as "11" < "2" when comparing numbers as strings; use `sort -k2n`.
Based on bug 52373 i assume this is a win2008r2 AD
yes it is 2008 r2.